4images gallery compromised! Running 1.7.7

[cpuswe]

Hi!

Got a mail from Paypal stating that my site where hosting a fake Paypal page for an hour back. Found a bunch of php files under the 4images directory "data".

Just want to warn anybody since my installation was fresh from Jan 14.

Note! Im not saying it is actually 4images that are to blame but since the files was found under the data directory there could be a hole somewhere.

Digging in the logs to find more.

[batu544]

HI,
      Is there any other script you are using along with 4images ?

Thanks,
batu544

[cpuswe]

Yes there are some other things running to but nothing that a normal visitor are accessing i think.

I have been digging in the logs and the intruder left some things to look into i think. On a quick check of the logs he has done a lot of testing before getting the file arab.php in the tmp_media directory. I will not go in to details in public.

GET /captcha.php HTTP/1.1" 200 7999 "http://hackersite.xxxx/member.php?action=uploadform&cat_id=524
POST /member.php HTTP/1.1" 200 3172 "http://hackersite.xxxx/member.php?action=uploadform&cat_id=524
POST /data/tmp_media/aaaa.php.jpg HTTP/1.1" 200 4894 "http://hackersite.xxxx/data/tmp_media/aaaa.php.jpg